b"\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Irving A. Williamson\n                                        Dean A. Pinkert\n\x0cOFFICE OF INSPECTOR GENERAL\n\n\n\n\n       UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                  WASHINGTON, DC 20436\n\n\n\n\nOctober 19, 2010                                                    OIG-HH-028\n\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit of\nPerimeter Network Security, OIG-AR-11-01. In finalizing the report, we analyzed\nmanagement\xe2\x80\x99s comments on our draft report and have included those comments in their\nentirety in Appendix A.\n\nThis report contains two recommendations for corrective action. The Commission has\nalready implemented these recommended changes. As a result, we consider that final action\nhas been completed for all recommendations in this report.\n\nThank you for the courtesies extended to my staff during this audit, and for quickly\naddressing our recommendations.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                                U.S. International Trade Commission\n                                             Audit Report\n\n\n                                                Table of Contents\nResults of Audit ............................................................................................. 1\n\nArea for Improvement.................................................................................. 2\n   Web servers should use current security protocols and a minimum 112-bit cipher key\n   strength............................................................................................................................ 2\n\n      Recommendation 1: That the Commission discontinue use of SSLv2 (Secure\n      Socket Layer version 2). .............................................................................................. 4\n\n      Recommendation 2: That the Commission require a minimum 112-bit key strength\n      for its ciphers. ............................................................................................................. 4\n\nManagement Comments and Our Analysis ............................................... 4\n\nObjective, Scope, and Methodology ............................................................ 5\n\nAppendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-11-01                                                     -i-\n\x0c\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n\n                                  Results of Audit\nThe objective of this audit was to determine: \xe2\x80\x9cIs ITCNet's perimeter defense effective?\xe2\x80\x9d\n\nITCNet\xe2\x80\x99s perimeter defense is effective.\n\nA penetration test is an attempt to breach a network and gain unauthorized access to its\nresources. On July 28-29, 2010, we conducted a penetration test of ITCNet using public\ninformation. Our Google search for information on ITCNet servers identified 22\npotential targets. The IP (Internet Protocol) addresses of the identified servers indicated a\nnetwork range of 256 addresses where ITCNet hosts its servers. We used software to\ndiscover listening service ports, and then we scanned the servers for known\nvulnerabilities.\n\nThe USITC\xe2\x80\x99s computer network, ITCNet, has over 500 systems, consisting of servers,\ndesktops, laptops, printers, phones, and network infrastructure devices. Every computer\nis connected to the network with a unique IP (Internet Protocol) address. For example, a\ndesktop PC on ITCNet will have an address like 192.168.50.40. A typical Windows XP\nPC can have more than 20 listening ports. Each port serves a function; for instance, an\nInternet browser connects to port 80 to request web pages from a server, and email\nservers use port 25 to transfer messages. It would be normal for a network of 500\nsystems to present 10,000 listening ports, all potential targets for attack.\n\nThe goal of perimeter defense is to minimize the number of exposed ports, known as the\n\xe2\x80\x9cattack surface.\xe2\x80\x9d A network with no open ports is not a network: open ports are required\nto communicate. Devices such as firewalls are configured to limit the number of ports\nexposed to the Internet, and newer technologies such as Intrusion Detection and\nProtection Systems (IDPS) can provide additional protection.\n\nSeveral effective characteristics of ITCNet\xe2\x80\x99s perimeter defense include the following:\n\n   \xef\x82\xb7   ITCNet\xe2\x80\x99s firewalls effectively limit the exposure of internal systems to the\n       Internet. Inside ITCNet, 10,000 or more service ports might be actively listening\n       and responding to requests. From the Internet, only 51 ports were discovered in\n       our scan of the ITC network.\n   \xef\x82\xb7   Not all of these 51 ports were real ITCNet services, after communicating with\n       certain ports; we lost all communications with ITCNet. This indicated that these\n       ports were intentional decoys presented by the IDPS to identify attackers.\n   \xef\x82\xb7   ITCNet uses IDPS. This software quickly detected our scans and blocked further\n       scanning attempts.\n\n\n\n\nOIG-AR-11-01                                -1-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\n\n   \xef\x82\xb7   The listening services we identified all seemed to be functions necessary for the\n       USITC to conduct business. We did not find any instances of services that should\n       not have been exposed to the Internet.\n   \xef\x82\xb7   ITCNet\xe2\x80\x99s remote access services require two-factor authentication. Without\n       knowledge of a user name, password, PIN, and RSA token (with a one-time code\n       that changes every sixty seconds), it is not possible to login to ITCNet from the\n       Internet.\n   \xef\x82\xb7   DNS zone transfers are not allowed. The Commission is following a best practice\n       of not publishing this information. If allowed, this would effectively provide a\n       potential hacker with an official map of ITC\xe2\x80\x99s network, much as a phone book\n       would tell an outsider about every employee and their phone number. In the\n       effort to secure a network, the less technical information published, the better.\n\nIn summary, ITCNet\xe2\x80\x99s perimeter defense effectively prevented our intrusion attempts.\n\nAn effective perimeter defense is a significant component of a complete network security\nprogram. An attacker can exploit a network in a number of ways. In general, she can\nattack the network perimeter as we did, or she can bypass the perimeter by tricking a user\ninto letting her in. Means of accomplishing this could be as simple as having a user open\na malicious email or visit an infected website, or by leaving an infected USB drive to be\nfound by an employee near the front door of the building. While ITCNet\xe2\x80\x99s current\nperimeter defense is effective, continuous attention and improvement are required to\nensure that it remains effective in the future.\n\nOur penetration testing did reveal a potential area for improvement: Commission web\nservers should use current security protocols and a minimum 112-bit cipher key strength.\nThis potential area for improvement is detailed below.\n\n\n\n\n                             Area for Improvement\n\n                 Web servers should use current security protocols\n                   and a minimum 112-bit cipher key strength.\n\n\nWe identified eight servers used by the Commission to publish information on the web.\nOf these eight servers, we identified four that provide sensitive information and use\nencryption. Encryption involves many components; two that are configured on our\nservers are the security protocol and the length of the cipher key. One server uses current\n\n\n\n\nOIG-AR-11-01                               -2-\n\x0c                      U.S. International Trade Commission\n                                  Audit Report\n\nsecurity protocols and 112-bit cipher key strength. The other three use older protocols\nand allow weaker 40- and 56-bit encryption.\n\nWhy Are Protocols Important?\n\nSecure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are used to\nsecure network communications. These protocols are designed to encrypt sensitive\ninformation, such as health, financial, or confidential business data. When a user\naccesses a website to transmit or receive sensitive information, the website should be\nconfigured to communicate in a secure, encrypted manner. SSL version 2 was the\noriginal method used to secure this network traffic. This protocol contains security flaws,\nand was superseded by SSL v3 in 1996. TLS was introduced in 1999 as an upgrade to\nSSL.\n\nThree USITC websites allow use of the outdated SSLv2 protocol.\n\nWhy are Cipher Strings Important?\n\nThe strength of encryption can be described by the number of bits in the cipher key. A\n1-bit key is analogous to a coin: just as a coin can only be heads or tails, a bit is either 0\nor 1. A 1-bit key would only require two tries to get it right. A 2-bit key would have 4\npossibilities: 00, 01, 10, and 11. A 3-bit key would present 8 possibilities: 000, 001, 010,\n011, 100, 101, 110, and 111. Other cipher key strengths:\n\n   x   40-bit: 1,099,511,627,776 possibilities\n   x   56-bit: 72,057,594,037,927,936 possibilities\n   x   112-bit: 5,192,296,858,534,827,628,530,496,329,220,100 possibilities\n\nToday\xe2\x80\x99s computing power makes it feasible for individuals to crack weaker encryption.\nCommodity hardware available today for $400 can test 1.8 billion passwords per second.\nThis hardware could crack a 40-bit cipher key, containing over 1 trillion combinations, in\n10 minutes or less. More sophisticated and better funded hacking efforts would employ\nmuch higher performance systems, greatly reducing the time required to break\nencryption. Requiring web servers to deploy a minimum 112-bit cipher key strength\nwould provide a high degree of protection for all sensitive Commission data.\n\nMaximum time required to crack selected ciphers using inexpensive commodity\nhardware:\n\n   x   40-bit: 10 minutes\n   x   56-bit: 1.27 years\n   x   112-bit: 91,470,362,945,607,600 years\n\nThree USITC websites allow the use of Low strength (40-bit) or Medium strength (56-\nbit) ciphers, placing the traffic at risk of being intercepted and decrypted.\n\n\nOIG-AR-11-01                                 -3-\n\x0c                     U.S. International Trade Commission\n                                 Audit Report\n\n\nRecommendation 1:\n\nThat the Commission discontinue use of SSLv2 (Secure Socket Layer version 2).\n\nRecommendation 2:\n\nThat the Commission require a minimum 112-bit key strength for its ciphers.\n\n\n\n\n              Management Comments and Our Analysis\n\nOn October 15, 2010, Chairman Deanna Tanner Okun provided management comments\nto the draft audit report. The Chairman agreed that the Commission\xe2\x80\x99s perimeter defense\nis effective.\n\nBased on the recommendations we made in our draft report, the Office of the CIO has\nreconfigured its Internet-facing web servers to remove the SSL v2 protocol and require a\nminimum 112-bit cipher key strength.\n\n\n\n\nOIG-AR-11-01                              -4-\n\x0c                     U.S. International Trade Commission\n                                 Audit Report\n\n\n                    Objective, Scope, and Methodology\nObjective:\nIs ITCNet's perimeter defense effective?\n\nScope:\nThis audit focused on performing a penetration test of all public, Internet-accessible\nUSITC services, including DNS, Web, and Email servers as well as any other\ndiscoverable services on July 28-29, 2010. The scope was restricted to the use of only\ntwo IP source addresses, involved only external probes of logical network security, and\nwas time restricted to only two days of attacks. This audit involved specific testing, and\nis not to be interpreted as an audit of compliance. The following techniques were not\nused in our testing, but would be used by motivated attackers that had little concern about\nthe health of ITCNet:\n\n   x   Potentially destructive activities\n   x   Denial of Service\n   x   Social Engineering\n   x   Spearphishing\n   x   Malware-infected USB drives\n   x   Distributed scans\n   x   Wi-Fi scans\n   x   Wardialing\n   x   Spoofing\n   x   Brute Force Attack\n   x   Physical Security testing\n\nMethodology:\nWe used publicly available information to discover USITC\xe2\x80\x99s Internet-accessible assets.\nThe information gathered provided us with a map of the Commission\xe2\x80\x99s Internet services,\nwhich we used as a starting point for our discovery scans. We used NMap with multiple\nsource addresses and with delayed timing to perform discovery, Nessus 4.2.2 to perform\ngeneral vulnerability scanning, and Cenzic Hailstorm Pro 6.5 to perform website-specific\nvulnerability scanning.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-01                                -5-\n\x0c\x0c               U.S. International Trade Commission\n                            Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-11-01\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c"